KMS Key Exposed To Public

Overview

The key policy for this Customer Managed Key (CMK) includes an asterisk (*) in the 'Principal' key for an 'Allow' statement.

The policy may allow any AWS account to use the key, if not otherwise limited.

The AWS developer guide provides this guidance:

Do not set the Principal to an asterisk (*) in any key policy statement that allows permissions unless you use conditions to limit the key policy. An asterisk gives every identity in every AWS account permission to use the CMK, unless another policy statement explicitly denies it. Users in other AWS accounts just need corresponding IAM permissions in their own accounts to use the CMK.

You can remediate the issue by reviewing and reducing the scope of the key policy in the AWS Management Console. It is also possible to replace a key policy with CLI command 'aws kms put-key-policy' or with the API by calling the 'PutKeyPolicy' action.

Vendor

AWS

Cloud Service

IAM

CSMM v1 DAT-04.2

References

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html, https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html, https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html, https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Severity

Item Types

AWS::KMS::Key

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​